Latest working kernel version: 2.6.25 pure kernel. Earliest failing kernel version: 2.6.25 -latest git Distribution:Debian Testing Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card Software Environment: Problem Description: I get this oops with my PCMCIA CDMA card. lsusb not working. Cannot connect to internet. usb 6-1: New USB device found, idVendor=12d1, idProduct=1001 usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 6-1: Product: Huawei Mobile usb 6-1: Manufacturer: Huawei Technologies Initializing USB Mass Storage driver... BUG: unable to handle kernel NULL pointer dereference at 00000004 IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd joydev snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss arc4 firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event mac80211 led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci battery psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 soundcore usbcore 8139cp 8139too i2c_core Pid: 1713, comm: modprobe Not tainted (2.6.25 #7) EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0 EIP is at scsi_destroy_command_freelist+0x10/0x54 EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000) Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec f72bfd28 c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c c01e23f9 f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 f72bfd68 Call Trace: [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98 [<c02541de>] ? device_release+0x37/0x5c [<c01e197c>] ? kobject_release+0x40/0x50 [<c01e193c>] ? kobject_release+0x0/0x50 [<c01e23f9>] ? kref_put+0x39/0x44 [<c01e18bb>] ? kobject_put+0x3c/0x41 [<c0253de1>] ? put_device+0xf/0x11 [<c025b7c2>] ? scsi_host_put+0xd/0xf [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage] [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage] [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore] [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore] [<c0256007>] ? driver_probe_device+0xa0/0x11b [<c02560bc>] ? __driver_attach+0x3a/0x59 [<c025592a>] ? bus_for_each_dev+0x3b/0x5d [<c0255eac>] ? driver_attach+0x14/0x16 [<c0256082>] ? __driver_attach+0x0/0x59 [<c0255cac>] ? bus_add_driver+0x97/0x1a7 [<c02562c3>] ? driver_register+0x71/0xcd [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore] [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage] [<c013f3f9>] ? sys_init_module+0x17c3/0x1968 [<c014a0f4>] ? find_lock_page+0x29/0x76 [<c0103871>] ? sysenter_past_esp+0x6a/0x91 ======================= Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 5b 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a 04 89 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP 0068:f72bfd04 ---[ end trace ec8749a2ebb6e124 ]--- Steps to reproduce: Insert pcmcia card into cardbus slot or boot with PCMCIA card inserted.
Created attachment 16014 [details] dmesg 2.6.25-latest git
Reply-To: akpm@linux-foundation.org (switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Sat, 3 May 2008 06:38:53 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=10598 > > Summary: Huawei CDMA PCMCIA card oops > Product: Drivers > Version: 2.5 > KernelVersion: 2.6.25-current git > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: high > Priority: P1 > Component: USB > AssignedTo: greg@kroah.com > ReportedBy: p.kysilka@aegis.cz > > > Latest working kernel version: 2.6.25 pure kernel. > Earliest failing kernel version: 2.6.25 -latest git > Distribution:Debian Testing > Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card > Software Environment: > Problem Description: > I get this oops with my PCMCIA CDMA card. > lsusb not working. Cannot connect to internet. > > usb 6-1: New USB device found, idVendor=12d1, idProduct=1001 > usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > usb 6-1: Product: Huawei Mobile > usb 6-1: Manufacturer: Huawei Technologies > Initializing USB Mass Storage driver... > BUG: unable to handle kernel NULL pointer dereference at 00000004 > IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 > *pde = 00000000 > Oops: 0000 [#1] SMP > Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd > joydev > snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss arc4 > firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss > crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event mac80211 > led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci battery > psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket > rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 > soundcore > usbcore 8139cp 8139too i2c_core > > Pid: 1713, comm: modprobe Not tainted (2.6.25 #7) > EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0 > EIP is at scsi_destroy_command_freelist+0x10/0x54 > EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc > ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04 > DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 > Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000) > Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec > f72bfd28 > c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c > c01e23f9 > f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 > f72bfd68 > Call Trace: > [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98 > [<c02541de>] ? device_release+0x37/0x5c > [<c01e197c>] ? kobject_release+0x40/0x50 > [<c01e193c>] ? kobject_release+0x0/0x50 > [<c01e23f9>] ? kref_put+0x39/0x44 > [<c01e18bb>] ? kobject_put+0x3c/0x41 > [<c0253de1>] ? put_device+0xf/0x11 > [<c025b7c2>] ? scsi_host_put+0xd/0xf > [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage] > [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage] > [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore] > [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore] > [<c0256007>] ? driver_probe_device+0xa0/0x11b > [<c02560bc>] ? __driver_attach+0x3a/0x59 > [<c025592a>] ? bus_for_each_dev+0x3b/0x5d > [<c0255eac>] ? driver_attach+0x14/0x16 > [<c0256082>] ? __driver_attach+0x0/0x59 > [<c0255cac>] ? bus_add_driver+0x97/0x1a7 > [<c02562c3>] ? driver_register+0x71/0xcd > [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore] > [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage] > [<c013f3f9>] ? sys_init_module+0x17c3/0x1968 > [<c014a0f4>] ? find_lock_page+0x29/0x76 > [<c0103871>] ? sysenter_past_esp+0x6a/0x91 > ======================= > Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 5b > 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a 04 > 89 > 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 > EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP > 0068:f72bfd04 > ---[ end trace ec8749a2ebb6e124 ]--- I think James fixed this very recently, but I'm unsure which commit did this? <looks> Nope, maybe it hasn't been merged yet. I suspect it's this one: commit 61d7416a286e840d905c18b1e6b0977c036c8656 Author: Alan D. Brunelle <Alan.Brunelle@hp.com> Date: Tue Apr 29 16:12:51 2008 -0400 [SCSI] bug fix for free list handling commit: commit 542bd1377a963070bc4a03ff7d2690ddf3920596 Author: James Bottomley <James.Bottomley@HansenPartnership.com> Date: Mon Apr 21 10:57:20 2008 -0500 [SCSI] fix SLUB WARN_ON Fixed another problem in free list handling by moving list allocation from scsi_host_alloc() to scsi_add_host(). Unfortunately it introduced a new failure mode in that hosts can pass straight from alloc to put without going through add, leaving the free list uninitialised. Fix by checking shost->cmd_pool on the release path to see if it got initialised. Signed-off-by: Alan D. Brunelle <alan.brunelle@hp.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index 12d69d7..749c9c7 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -469,6 +469,7 @@ int scsi_setup_command_freelist(struct Scsi_Host *shost) cmd = scsi_pool_alloc_command(shost->cmd_pool, gfp_mask); if (!cmd) { scsi_put_host_cmd_pool(gfp_mask); + shost->cmd_pool = NULL; return -ENOMEM; } list_add(&cmd->list, &shost->free_list); @@ -481,6 +482,13 @@ int scsi_setup_command_freelist(struct Scsi_Host *shost) */ void scsi_destroy_command_freelist(struct Scsi_Host *shost) { + /* + * If cmd_pool is NULL the free list was not initialized, so + * do not attempt to release resources. + */ + if (!shost->cmd_pool) + return; + while (!list_empty(&shost->free_list)) { struct scsi_cmnd *cmd;
Reply-To: James.Bottomley@HansenPartnership.com On Sat, 2008-05-03 at 07:44 -0700, Andrew Morton wrote: > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > On Sat, 3 May 2008 06:38:53 -0700 (PDT) bugme-daemon@bugzilla.kernel.org > wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=10598 > > > > Summary: Huawei CDMA PCMCIA card oops > > Product: Drivers > > Version: 2.5 > > KernelVersion: 2.6.25-current git > > Platform: All > > OS/Version: Linux > > Tree: Mainline > > Status: NEW > > Severity: high > > Priority: P1 > > Component: USB > > AssignedTo: greg@kroah.com > > ReportedBy: p.kysilka@aegis.cz > > > > > > Latest working kernel version: 2.6.25 pure kernel. > > Earliest failing kernel version: 2.6.25 -latest git > > Distribution:Debian Testing > > Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card > > Software Environment: > > Problem Description: > > I get this oops with my PCMCIA CDMA card. > > lsusb not working. Cannot connect to internet. > > > > usb 6-1: New USB device found, idVendor=12d1, idProduct=1001 > > usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > > usb 6-1: Product: Huawei Mobile > > usb 6-1: Manufacturer: Huawei Technologies > > Initializing USB Mass Storage driver... > > BUG: unable to handle kernel NULL pointer dereference at 00000004 > > IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 > > *pde = 00000000 > > Oops: 0000 [#1] SMP > > Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd > joydev > > snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss > arc4 > > firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss > > crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event > mac80211 > > led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci > battery > > psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket > > rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 > soundcore > > usbcore 8139cp 8139too i2c_core > > > > Pid: 1713, comm: modprobe Not tainted (2.6.25 #7) > > EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0 > > EIP is at scsi_destroy_command_freelist+0x10/0x54 > > EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc > > ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04 > > DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 > > Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000) > > Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec > f72bfd28 > > c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c > c01e23f9 > > f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 > f72bfd68 > > Call Trace: > > [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98 > > [<c02541de>] ? device_release+0x37/0x5c > > [<c01e197c>] ? kobject_release+0x40/0x50 > > [<c01e193c>] ? kobject_release+0x0/0x50 > > [<c01e23f9>] ? kref_put+0x39/0x44 > > [<c01e18bb>] ? kobject_put+0x3c/0x41 > > [<c0253de1>] ? put_device+0xf/0x11 > > [<c025b7c2>] ? scsi_host_put+0xd/0xf > > [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage] > > [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage] > > [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore] > > [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore] > > [<c0256007>] ? driver_probe_device+0xa0/0x11b > > [<c02560bc>] ? __driver_attach+0x3a/0x59 > > [<c025592a>] ? bus_for_each_dev+0x3b/0x5d > > [<c0255eac>] ? driver_attach+0x14/0x16 > > [<c0256082>] ? __driver_attach+0x0/0x59 > > [<c0255cac>] ? bus_add_driver+0x97/0x1a7 > > [<c02562c3>] ? driver_register+0x71/0xcd > > [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore] > > [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage] > > [<c013f3f9>] ? sys_init_module+0x17c3/0x1968 > > [<c014a0f4>] ? find_lock_page+0x29/0x76 > > [<c0103871>] ? sysenter_past_esp+0x6a/0x91 > > ======================= > > Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 > 5b > > 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a > 04 89 > > 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 > > EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP > 0068:f72bfd04 > > ---[ end trace ec8749a2ebb6e124 ]--- > > I think James fixed this very recently, but I'm unsure which commit did this? > > <looks> > > Nope, maybe it hasn't been merged yet. > > I suspect it's this one: > > commit 61d7416a286e840d905c18b1e6b0977c036c8656 > Author: Alan D. Brunelle <Alan.Brunelle@hp.com> > Date: Tue Apr 29 16:12:51 2008 -0400 > > [SCSI] bug fix for free list handling Yes, that's the fix. It's in the queue with a pull request sent at the moment. James
Pavel, can you confirm that it's fixed in 2.6.26-rc1?
Please reopen this bug if it's still present with 2.6.26-rc2.